Hacker News new | past | comments | ask | show | jobs | submit login
Dutch government says no to backdoors, grants $540k to OpenSSL (theregister.co.uk)
1144 points by janvdberg on Jan 5, 2016 | hide | past | favorite | 99 comments

As much as I like this I'm sad to say that we also have numerous violations of the law with respect to privacy by many branches of the Dutch government. Journalists have had their phones tapped, the schools and health care providers are asking for ever more absolutely private information about parents from both the parents and their children (this is of course 'for the children' so never mind the violations), finger prints of non-felons are still collected with impunity, dragnet style information collection is on the order of the day, there are no means of transport that are not under continuous surveillance outside of going on foot and by bicycle (and even there the little snitch in your pocket will tell big daddy where you are) and so on.

It's sad that we seem to be able to make the right decisions from time to time but at the same time we are actually making the wrong decisions most of the time. Here's to hoping things will eventually get better, I shudder to think of the kind of catastrophe that would swing the pendulum back the other way and turn the tide.

I agree with most of your points, but why do you think "finger print collection of non-felons" is a problem? There are well-documented examples of that database being used to catch bad guys, and I have not heard of any abuses of that database. So I would think this is one example where a small privacy incursion is offset by a proven gain in security.

I would go as far as saying that collection of fingerprints and DNA profiles should be expanded. I have enough trust in Dutch democracy to change it back again if it turns out not to improve security after all. (As someone who has lived in other countries, I would not say the same of any democracy).

Are you being serious? Do you understand what we are fighting for here?

What if one day, it becomes illegal to be gay? Or have sex with someone out of wedlock?

Then all this data could be used against someone.

I think part of the reason why it seems that we're making the wrong decisions most of the time is that the actual decision-making is less obvious in a lot of situations.

While everybody knows that their mobile phone can be/is tracked as it moves between cell towers, it's far less obvious than an explicit vote for or against some kind of invasion of privacy.

In which case, raising awareness so that people can actively override the decisions being made for them seems like a good place to start.

This is a refreshing voice to hear in the media. I really appreciate the nuance that the Dutch government has displayed here, aligning itself with what most people in this audience would consider common sense.

Are there other governments that have spoken out in support of encryption like this? I'm sure there must be, but (casually following the news) I haven't seen any.

If I'm thinking of the same thing (and I believe I am), the vote actually happened a month or so ago.

The original proposal was to give 500k euro to OpenSSL but what actually was approved was to spread that out amongst OpenSSL, PolarSSL (which, I think, comes from .nl), and LibreSSL, in a manner that was not yet determined.

Personally, I'd prefer to see the majority of it go to the guys working on LibreSSL simply because I think it would have the most impact there. I somewhat expect most of it go to OpenSSL, however, if for no other reason than it being the most widely used of the three.

Yes, the proposal was changed to spend the 500k EUR on open source encryption projects in general, to quote: "OpenSSL, LibreSSL, PolarSSL, etc." - no particular distribution of the money has been decided on as far as I can see.

Source: http://www.tweedekamer.nl/kamerstukken/amendementen/detail?i...

> the vote actually happened a month or so ago.

Yup, I posted the result on HN but nobody cared at that point. I guess it wasn't quite concrete enough because the money would go to "undetermined open source projects that have to do with encryption, such as polarssl and openssl".

The danger of critical infrastructure being attacked digitally is already far greater than the risk of say, a bomb attack. Weakening our digital defenses to spy on terrorists is like throwing your laptop in the pool because you're afraid someone might light it on fire.

"The danger of critical infrastructure being attacked digitally is already far greater than the risk of say, a bomb attack."

This is not true. However, it is important to keep in mind that were it ever true it would be because of blatant negligence on the part of human actors.

It is neither obvious nor inevitable that a nuclear plant will ever be attacked digitally because a nuclear plant need not be networked - even internally.

It is neither obvious nor inevitable that a hydro dam will ever be attacked digitally because a hydro dam need not be networked - even internally.

With an open mind and some creativity this could be true even for things like air traffic control and the power grid. They don't need Internet access. They might not even need IP.

If any of these things are fragile to digital attacks it is because they were gratuitously made fragile.

One only needs to look at the recent issue with hacking cars to see that it is quite possible. A single bomb, short of a nuke, would do far less damage than a virus attacking certain vehicles. The real issue is the effort needed to acquire the bomb/build the virus. Bombs seem to still have a far lower startup cost, so while you may get less bang for your dollar, they are more popular.

Is it popularity or damage/$ that determines what is more dangerous?

Seems you are arguing that it is with 100% certainty not true, because nothing has happened thus far. You don't know what will happen tomorrow though, so you cannot be that certain.

Blatant negligence and human factors seems to me to be what to expect, rather than rare exceptions. — Well, not for nuclear plants. But for the power grid for example, and trains and cars and the water pipe system perhaps.

What I mean is "the potential for damage is far greater". Getting access to the right persons email account could shut down roads, power, communication, etc.

This statement was made early December. And I think it does deserve some nuance:

Minister Steur (Security and Justice) this monday said, representing the second chamber, that "laws that prohibit encryption are not desirable at this time". That doesn't retract their early statement, but I think it's an important nuance. Arguably, it might also just be political play to get some douchebag rightwing parties over the line. (dutch source http://tweakers.net/nieuws/107104/kabinet-beperking-van-encr...)

Similarly, in december, a law was passed that allows authorities to hack 'criminals' without a warrant. In many countries, (liberty) activists are criminals too.

That said, I still appreciate where things are going. Privacy is a very tough political climate and I think it's solid that we (the Dutch) take this standpoint. Baby steps.

Someone who disagrees with your policy does not make them a douche. This is the beginning of illiberal politics: If you are not with me, I will denigrate your person and declare you an enemy. The left wing of Europe was running at full speed towards Stalin / USSR for most of 2nd half of 20th century. It's easier to name-call than to govern.

> Someone who disagrees with your policy does not make them a douche.

Devil's advocate: he never said the parties in question were douches because they disagree with the privacy policy (although in this context it's certainly reasonable to assume it was implied). There's plenty of valid reasons to call the members of the PVV a bunch of douchebags, for example; especially the part where it's a populist party that thrives on insulting everyone else.

You're doing exactly the thing that you're accusing of -- labeling. Just because you disagree with left parties' policies you're labeling them they were running towards Stalin and USSR, which is also not very logical since Stalin died in 1952.

TL;DR version: I use it as an example to illustrate why it's bad to generalize.

More: I don't disagree with left parties policies - I am a Democrat, and would most likely for left-wing parties in most of Europe (or whoever is less xenophobic). I am against tyranny on the left or on the right. I don't like people who support the denigration / dehumanization / oppression of those who they disagree with and marginalize an entire group of people. I can cite you dozens of statements made by the likes of Jean-Paul Sartre, Arthur Scargill, Jan Myrdal, Doris Lessing, Andre Gide, Bertold Brecht, and other lesser known political leaders intellectuals in Western Europe (that is, the part not invaded by Soviets thanks to US intervention), that is supportive of Stalin / supportive of USSR. I am stating a fact, not using slurs.

I am also critical of the right (or anyone, really) that support dictatorial/oppressive governments in Latin America and the Middle East. I am pro individual freedom, liberty, and dignity. I am against people being enslaved either by their own state, or by an exploitative economy through the invisible chains of debt.

For those who have history exam tomorrow: 1953.

Well, the USSR is dead and gone too. Maybe that statement would have been better as the idiom "going the way of the do-do bird?" </sarcasm>

He used an example. He didn't call every left-wing party literally Communist. Classic HN pedantry.

There are some parties / persons in Dutch politics who refrain from healthy discussions and just money grab with popular and sometimes hate inducing statements. It so happens that they disregard any privacy, as well. I call them douches, and I'm very happy and confident to do so.

I think this needs a whole lot more nuance. Minister Steur said that the laws are not desirable at this time, after other cabinet members said it will hurt economic relations. This is not a statement saying we don't want this, this is a statement saying we can't do this right now.

Also, the money going to OpenSSL and others is completely unrelated to the current encryption banning talks going on in the Netherlands. This is a great initiative that should be applauded.

I agree with your conclusion though, but I am very weary of the dutch MoD.

It is indeed a statement that "we can't do this right now". You don't need the implication you're making; it can literally be found in the 'cabinet's standpoint' (see below for a translation). I have the suspicion that it has something to do with the 'utopic' outlooks that other nations and their presidential candidates have come to suggest: "technologists will find a way to have both security and access".

"At this time, there is no outlook on the general possibility to, for example via standards, weaken encryption products without compromising the security of digital systems relying on encryption. By for example introducing a technical point of access into a encryption product which would enable intelligences agencies to view encrypted files, digital systems could be rendered vulnerable to for example criminals, terrorists and foreign intelligence agencies. This would have negative consequences for the security of communicated or saved information, and the integrity of ICT-systems, which are increasingly of importance in the functioning of society." (second paragraph of 'Afweging en conclusie')

(in these debates, there is always an important question: what would Ivo have said? Luckily, somebody has already provided an answer: http://tinyurl.com/whatwouldivohavesaid)

The money going to OpenSSL might be related to the issue the Dutch government ran into in 2011 with the Diginotar (a certificate authority) hack; the TLS certificates for Dutch government websites were compromised at that time. While this hack was not related to weaknesses in OpenSSL (as far as I know), this did put the spotlight on the vulnerability and dependence on of the certificate chain. Supporting the software that provides this crucial layer of security makes a lot of sense for a government that has been bitten once.

The amendment to provide €500 million to open sources encryption project (initially only OpenSSL), was done by D66's Kees Verhoeven. He has a history of asking question about the Snowden revelations and other issues around computer security. He is also partly responsible for the amendment on net neutrality, and the infamous 'cookie law' (which is actually more of a 'do not 3rd party track before asking consent' law).

For example in June has asked questions [1] about "the news that American intelligence agencies used vulnerabilities in encryption software" (specifically weak DH / Logjam).

If anything, this proposal has more to do with Logjam than with Diginotar. Not all too incidently, improving OpenSSL would do nothing to prevent another Diginotar from happening.

[1] http://www.tweedekamer.nl/downloads/document?id=97a9bc20-eca...

You probably mean €500 thousand, not million.

You probably meant "wary". But weary too.

>it might also just be political play to get some douchebag rightwing parties over the line

Who is the real "douchebag" in that case?

Surveillance is not generally a right/left thing and seems to be more an establishment thing.

This issue is captured in the Authoritarian <--> Libertarian axis on the 'grid' representation of political views.

It's the reason I really don't like Hillary. I can put up with her economic and social positions but in my view she hits the tip top of the authoritarian graph and it scares me.

Dutch here. The argumentation is remarkably good. The privacy like you have with letters and phone calls is part of our constitution, and also part of European guidelines. The rules to violate this privacy, only in certain cases, is already part of the law (eg. wiretaps under suspicion). ISPs have to cooperate where possible.

That the dutch intelligence services are now hampered by end-to-end encryption making the ISPs have no way to cooperate any more, is basically the problem of the intelligence services to solve, and not a legal problem. Hence, encryption stays in place.

How much privacy with phone calls is there, when The Netherlands are known for having the most phone taps in the world? The formal privacy looks pretty strong indeed, government needs a warrant, etc., but at the end of the day they can do whatever they want.

From what I hear, police here can also freely access and query all phone metadata, without the need for a warrant.

In the US, there are laws on the books that telecom corps are required to facilitate searches or wiretaps on client communication when presented with a court order. And if you look at the metadata collection deal that Obama passed recently, it says that the NSA can't collect metadata, but telecoms are required to do it instead and produce it when served with a court order. So, it's not at all unprecedented for government to make it a legal problem and put the onus on private industry. This is actually Hillary's most recent stance on encryption. She says if we can't "break" encryption or have backdoors, you have to give us another option. Wouldn't be surprised if Holland and others have a similar idea in mind.

I tried to open the (Dutch) DOCX that contains the official position paper of our government, but LibreOffice refuses to open it:

  File format error found at 
  SAXParseException: '[word/document.xml line 2]: unknown error', Stream 'word/document.xml', Line 2, Column 30060(row,col).

Great. Usually OOXML Word files at least open in LibreOffice, but this one seems to have some unsolvable weirdness. I don't get why they don't offer a PDF download — it, at least, is an open format that can be reliably opened on any OS. Or offer a plain text version, or simply post the paper on their website in HTML.

Please complain to them [1]. They are required to publish that document as ODF, not DOCX. Alternatively PDF or HTML could be used. Using DOCX in Dutch government is against the standard [2], which is ODF 1.2.

[1] http://www.tweedekamer.nl/contact/contact#webform-client-for... [2] https://lijsten.forumstandaardisatie.nl/open-standaard/odf12

Done. The helpdesk representative actually mailed me the PDF version, and said that a PDF version should be forthcoming:

Bijna alle kamerstukken zijn als pdf terug te vinden. Zo te zien worden de recente eerst als doc gepubliceerd.

Apparently new documents can be posted as DOCX only (strange).

You are right to point out the open standard guidelines, but unfortunately, they are marked as comply or explain. This means that they are not mandatory if you have a valid reason not to be able to comply with them. In this case, the reason is probably "our civil servants are used to Microsoft's defaults", which is — as much as I disagree with this policy — probably enough to get away it.

simply post the paper on their website in HTML

This is the UK government advice. Hopefully it’ll percolate through other governments. https://www.gov.uk/service-manual/user-centred-design/choosi...

Works fine for me, but I've made a PDF version: https://drive.google.com/file/d/0B2WvkUwBYadXb3pYVk1pWmIyekk...

Much appreciated. :)

Perhaps something on your end? LibreOffice ( doesn't have a problem with the file on my system.

Interesting. This is LibreOffice

Works in LibreOffice

my old libreoffice (Version: opens it fine.

I guess it is a bug in LibreOffice This is the default version included with Ubuntu 15.10.

It's nice, meanwhile "we" now have a law being debated by government (not sure it will pass) that allows the government to hack individuals if they are suspect, this may even happen via people the suspect may know. It even includes being allowed to install spyware on a webcam.

But I guess it is good to leave encryption strong, forget about mass surveillance and focus energy on individuals actually suspected of a crime.

The cynic in me thinks the reasoning was: "We need a European Google", "We see that Europeans distrust American companies because of NSA economic spying in the past", "Let's make the Netherlands more attractive for large European companies"... no Idealism involved.

Edit: Updated original post: This new law ("Wet Computercriminaliteit 3") has not been passed yet!

As an American unhappy with the way our government is heading (backdoors in encryption), I would love to see a "European Google". I am certainly no expert in laws in the EU but, as I understand it, the data protection laws there are actually pretty good. I would much rather handle/host my data in countries where the companies are held to these standards.

If there is a reasonable suspicion I don't see the problem with giving law enforcement the legal ability to hack their targets. This is something very different from drag-net surveillance and should not be tainted with the same stigma. It's not like the government actually _needs_ or wants to maintain giant botnets of all the targets they've hacked.

Withholding known security vulnerabilities from the public in order to be later used for hacking is immoral and dangerous.

Imagine if the police had prior knowledge of a vulnerability in the computer system of a car, but did not act to protect the public. A few years later a criminal figure out the same vulnerability and causes a major car crash on a motorway and murder several people. I would view the police officer to be found liable under breach of duty, same as if they witnessed a crime and refused to act.

Under the same logic, if companies has a legal responsibility to protect their customers and provide safe products, and police officers has a professional responsibility to report crimes, then the police should be forced to act if they have confirmed information about a security vulnerability.

> if companies has a legal responsibility to protect their customers and provide safe products

Since 1 January there is also a law in the Netherlands that requires companies to report any data leaks.


A data leak is not the same as a security vulnerability. The data leaks refer to organisations having customer data which is hacked. They have to report this. This doesn't cover finding a leak in Flash.

Withholding known security vulnerabilities from the public in order to be later used for hacking is immoral and dangerous.

I was thinking about this when Anonymous "hacked" thousands of ISIS twitter accounts. On the one hand that saves Twitter from having to make a stand themselves - but if they didn't immediately plug those holes, they're leaving legitimate users at risk.

If such a thing is allowed, then higher standards should be applied to forced digital entry by police than are applied to forced physical entry.

Also, one very bothersome side effect of government-sanctioned hacking is that governments have an incentive not to notify software vendors about vulnerabilities.

Without knowing the details, I think this sounds fine as long as there is reasonable suspicion, it is approved by a court or judge, and a warrant is issued to conduct the surveillance.

Indeed, it is the way to go imo, it is akin to a steak-out, hacking friends and family though... a bit fishy.

Yes, you most definitely should not target people not suspected of a crime.

This seems to go against the Dutch Constitution, so hopefully people are fighting this.

Credit where credit is due. This is exactly the right approach. If only other governments would follow suit.

The EU has a remarkable track record on implementing the best of its constituent governments policies on human rights and privacy, so there's hope there.

'Although the Dutch position is nuanced and firm, the government also has the luxury of not having real impact on the real world' noted.

Some people desire simplicity, and will think it into existence if necessary. I expect the author of those words didn't, for example, think about the Netherlands being a net contributor to the EU, he just knew it's a small country.

In the EU, net contributors seem to have something awfully close to an effective veto regarding minor issues, so this is good news.

> In the EU, net contributors seem to have something awfully close to an effective veto regarding minor issues,

Do you have a source for this? I never got this impression. Some countries have proportionally large influence due to their size, namely France and Germany. Some others due to the high quality diplomats and politicians they send to Europe, such as Belgium and Italy.

Some countries actively sabotage their own influence in the EU, by showing nothing but hostility and obstruction (UK), or by using the EU as a kind of retirement plan for politicians and diplomats that failed domestically (Netherlands). Always echoing the German point of view should not be seen as "an effective veto", it is essentially an attempt to stay in favor with their formerly close, powerful friend to the east, who has been getting less and less interested over the years, as his attention shifts towards the East.

I read SZ (sz.de), which has separate articles about major issues and the occasional summary of minor things, e.g. when parliament is dissolved. "Other topics this year included: ..." Those other topics, the ones that don't merit separate articles, are the ones I have in mind.

They actually put money in development of strong encryption, €0.5M. Here are the details from the government ordering to support OpenSSL: https://zoek.officielebekendmakingen.nl/kst-34300-XIII-10

And contrary to the document on the parliament website [1], that link points to the document in PDF, ODT, HTML and XML.

[1] http://www.tweedekamer.nl/kamerstukken/brieven_regering/deta...

I hope we don't get someone in a few years "uncovering secret information that OpenSSL is funded by a foreign government".

They are funding it in public, no secret on that part.

Hopefully they won't fund secret backdoors though :)

I mostly meant the parallels with Tor (which is also openly government funded)

So to OpenSSL and not to LibreSSL?

Apparently, money will go to OpenSSL, LibreSSL and PolarSSL. http://www.theregister.co.uk/2015/12/09/netherlands_votes_to...

Wasn't OpenSSL quite vulnerable and not recommended to use few years back and people were phasing it out? Or am I mistaking this with something else?

You're a bit mistaken. A lot of FOSS political warrghble happened, but OpenSSL still remains the most audited and used SSL library out there.

Yes, it may have bugs. Yes, the NSA may have tampered with the standards themselves (that everyone else must also implement, else risk compatiblity issues in some areas).

But there are no drop in alternatives that aren't based on the same codebase, and almost no one is using any alternatives: NSS (Mozilla's framework) is rarely used outside of Firefox, GnuTLS is rarely used, I've never heard of anyone using PolarSSL outside of very specific embedded projects, and LibreSSL (a OpenSSL fork) is being adopted only as a license-related political response, and BoringSSL is Google's response to the entire thing (their own OpenSSL fork that they control, to just ignore the entire political bullshit).

FWIW, LibreSSL replaced OpenSSL in OpenBSD 5.6 -- over a year ago.

OpenBSD started the LibreSSL project, so, naturally, they would adopt it. OSX has also adopted it for purely license politics reasons, El Capitan shipped with it:

  $ /usr/bin/ssh -V                                             
  OpenSSH_6.9p1, LibreSSL 2.1.8

> "... license-related political reasons ..."

> "... license politics reasons ..."

I'm not sure exactly what you mean by this?

I mentioned OpenBSD replacing OpenSSL with it simply because the "official" OpenSSH is now developed against it.

I'm not sure if LibreSSL is being used for the portable version yet but if/when that happens, I expect people will begin to "trust" it more, leading to more projects potentially deciding to also replace OpenSSL with LibreSSL (i.e. for valid technical reasons, not for "political" ones).

Until the announcement in August 2015, OpenSSL was dual licensed ASL1 + SSLeay License (and by dual licensed, OpenSSL means both apply, instead of choose one), the terms of which make it GPL incompatible, and also has questionable patent issues (a problem for commercial software).

The announcement was that they are moving to Apache License 2.0, thus solving both issues. However, this move has not happened yet.

Debian stable is using LibreSSL for around a year already (Debian started switching just after the fork).

Debian is not using LibreSSL, I just checked. Sid currently ships OpenSSL 1.0.2e, and Jessie currently ships 1.01k.

Ouch, you are correct.

Something changed a while ago, my software stopped working with it, and I could only fix once I followed some LibreSSL guidelines. I thought it was this change, looks like I was wrong.

openssl is still the most popular one everywhere, it will probably be so for a long time.

And I believe RHEL/Fedora use NSS?

NSS is not an OpenSSL drop in.

Firefox, Chrome on platforms other than Android, OSX, and iOS (although I think they have completed removal of the NSS interface and gone with OpenSSL on all platforms, now served by Google's own BoringSSL fork), the mod_nss module for Apache, some Java projects (including some from Redhat and Sun/Oracle) that don't want to use Java's own SSL API, all use NSS.

There was a pretty serious security issue in it, but it was fixed. A lot of people were predicting the end of OpenSSL, but at the end of the day, most viable alternatives came around too late for people to phase it out.

Yes, the OpenBSD folks have forked it as LibreSSL.

This is how it's done, if you truly want a more secure world, that is.

Any government that imposes less taxes (all else being equal) and has thereby managed to entice its population to spend an equivalent or higher amount of time or money on the project did a better job.

Unfortunately their deeds will be unsung.

Damn. This really encourages me to start donating to open source projects.

Don't worry, they can still get your stuff; the new Dutch cybercrime law allows the likes of Fox-IT to hack your laptop/ISP and grab your data from there.

Of course they can. But isn’t it better to target specific computers instead of doing dragnet surveillance on all Internet traffic?

Sure, but not without a warrant.

Does it not bother anyone else that openssl doesn't support HTTPS on their website?

Is an English translation of the original position paper available somewhere?

FWIW, when news first broke I posted a translation of a news article: https://news.ycombinator.com/item?id=10698743

You can read the headline in a hilariously ironic way.

This reminds me of the time when NSA offered an encryption algorithm to the public...

i haven't read the article but isn't this the dutch government just giving money to an existing open source project, to use as they see fit to improve/maintain the existing library?

seems ultimately the opposite of what you're talking about.

Sure, but you never know what (non-public) conditions are attached to the money...

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact